System and method for providing usage of and/or access to secured data via using push notification infrastructure

ABSTRACT

The present disclosure relates to reconstructing graphical images on a user device related to secured data from a system management appliance (SMA) and/or providing access to such secured data from a system management appliance (SMA), via a push notification mechanism. For example, a push notification regarding an event can include encoded data to permit the user device to reconstruct a graphical image which indicates information pertaining to the alert. Alternatively, the push notification can include a one-time password for access to the SMA on a temporary alternate route to a normal route between the SMA and the user device to permit the user device to obtain additional information pertaining to the push notification.

TECHNICAL FIELD

The present disclosure relates to providing usage of and/or access tosecured data from a system management appliance (SMA) and, moreparticularly, to a system and method of providing usage of and/or accessto secured data via a push notification mechanism.

BACKGROUND

Mobile applications have been used as solutions for system management.One advantage of such mobile applications is that alerts or otherinformation from managed systems can be sent from System Managementsoftware to a mobile application in the form of a push notification.

Push notifications, though, are limited in size (e.g., 2 KB) and format,and are generally used as a summary of important information regardingan event, with the capability to launch an associated application toobtain detailed information regarding the event. However, in the case ofa system management application or similar application, directlyconnecting to a target management server hosting the SMA, which is ahigh-security environment, may be difficult (where several additionalsecurity-related steps must be taken) or impossible (where a connectionto the lab network or other high-security environment is not allowed oravailable).

For example, the current response of a user of a mobile device is toselect the push notification to launch an application in the mobiledevice. In this arrangement, the application is effectively started upas if the user had selected it directly from the management system. Thismay require several prerequisite steps such as the establishment of aVPN, entering or re-confirming credentials, or other steps required toget to the high-security environment.

If this is not desirable or possible, the user must make do withinformation regarding the event provided in the push notificationitself, which may be incomplete due to size and scope limitations of thepush notification. For example, a system administrator may determinethat access to an SMA needs to be shut down because of a securityconcern. Also, restrictions may be placed on access to information fromthe SMA when the user is outside of a certain geographical area, forexample, when the user is in a foreign country. Also, different levelsof access are often provided to users, and, in some instances, a usermight not normally be permitted access to information related to anevent identified in a push notification because the user does not havethe required security clearance to access the information directly fromthe SMA.

As an example, consider an alert condition that is created on a serverin a managed-hardware environment. The push notification itself providesan alert that a problem has occurred, but cannot convey detailedinformation (such as graphical image or detailed event logs). In normaloperation, the application has stored credentials for accessing thetarget elements from the SMA on a target management server. When anotification is received, the application can route to the targetmanagement server via a secured path to obtain more information usingthe same credentialing method that it would use when simply connectingto the SMA in the target management server in a standard user-initiatedway. Generally, this is not a problem if the mobile device is on thesame network or can access the SMA via a Virtual Private Network (VPN).However, in certain instances, such as noted above, this secured path isnot available or requires too many extra steps for the user to easilyobtain detailed information directly from the SMA in the targetmanagement server.

SUMMARY

In an aspect of the disclosure, a method includes providing an alert toa user device via a push notification system management appliance (SMA).The push notification includes encoded data to permit the user device toreconstruct information pertaining to the alert.

In another aspect of the disclosure, a method includes providing a pushnotification from a system management appliance (SMA) to a user device.The push notification includes a one-time password for access to the SMAon a temporary alternate route to a normal route between the SMA and theuser device to permit the user device to obtain additional informationpertaining to the push notification.

In another aspect of the disclosure, a system includes a systemmanagement appliance (SMA) configured to provide a push notificationregarding an alert to a user device. The push notification includesencoded data to permit the user device to reconstruct informationpertaining to the alert without having to communicate with the SMA afterreceiving the push notification.

BRIEF DESCRIPTION OF THE DRAWINGS

The present disclosure is described in the detailed description whichfollows, in reference to the noted plurality of drawings by way ofnon-limiting examples of exemplary embodiments of the presentdisclosure.

FIG. 1 is an illustrative architecture of a computing system inaccordance with aspects of the present disclosure.

FIG. 2 shows an exemplary cloud computing environment in accordance withaspects of the present disclosure.

FIG. 3 shows a structure for permitting a user device to reconstruct agraphical image which indicates information pertaining to an alertprovided in a push notification in accordance with aspects of thepresent disclosure.

FIG. 4 shows a structure for providing access to secured data in an SMAon a temporary alternate route to a normal route between the SMA and auser device in accordance with aspects of the present disclosure.

FIG. 5 shows a structure for providing access to a user device tosecured data in an SMA on a temporary alternate route, e.g., a pushserver, in accordance with aspects of the present disclosure.

FIG. 6 shows a flowchart of steps for reconstructing a graphical imagewhich indicates information pertaining to an alert provided in a pushnotification in accordance with aspects of the present disclosure

FIG. 7 shows a flowchart of steps for providing access to secured datain an SMA on a temporary alternate route to a normal route between theSMA and a user device in accordance with aspects of the presentdisclosure.

FIG. 8 shows a flowchart of steps for providing access to a user deviceto secured data in an SMA on a temporary alternate route which includesa push server in accordance with aspects of the present disclosure.

DETAILED DESCRIPTION

The present disclosure relates to using secured data for visuallyreconstructing images related to the secured data provided by a systemmanagement appliance (SMA) at a user device. More particularly, thepresent disclosure relates to providing an alert via a push notificationto a user device, which push notification includes encoded data topermit the user device to reconstruct a information pertaining to thealert. This information can include at least one of a graphical image,or other visual representation such as a graphical overlay, a schematicillustration, a table of conditions and an error list.

Among other advantages, the present disclosure permits advising a userdevice of an event, and providing information to permit reconstructionof information pertaining to the event, without the need for a VPN orother complicated network structure. Further, the present disclosureallows the communication of data to a user device which is easier toobserve visually, without the need for a high cost network arrangementfor sending images to the user device pertaining to an event. Forexample, encoded data to permit the construction of a simplified imagecan be provided with the push notification itself, without the need forsending images to the user device separate from the push notification.Still further, the present disclosure permits a very quick visualconstruction of a pertinent graphical image, graphical overlay,schematic illustration, table of conditions, error list, etc. withoutthe need for additional network calls, which would require much moretime.

The present disclosure also relates to providing access to secured datafrom a system management appliance (SMA) and, more particularly, to asystem and method of providing access to secured data via a pushnotification mechanism. More particularly, the present disclosurerelates to providing a user device with a push notification whichincludes a one-time password for access to the SMA on a temporaryalternate route, to permit the user device to obtain additionalinformation pertaining to the push notification.

In embodiments, a push notification which advises a user device of anevent also includes encoded data, such as JavaScript Object Notification(JSON) data, Extensible Markup Language (.xml) data, Comma-separatedvalues (CSV) data, simple tab-delimited text or a custom encoded dataformat. The encoded data permits a receiving application in a userdevice to decipher/reconstruct the encoded data in a graphical manner,for example. More particularly, the encoded data permits theconstruction of a graphical image, or other visual representation, whichis related to the event. In embodiments, the push notification includesinformation so that the user can either construct a graphical image (orother visual representation) or access and derive secured data withfewer security restrictions or intermediate steps than would benecessary if the user attempts to access the secured data from the SMAvia normal communication routes between the SMA and the user device.Because any access to the SMA is temporary in nature, and only pertainsto the details related to the specific event noted in the pushnotification, allowing access in this temporary manner is much lessrisky than a full-rights login to the management program.

In embodiments, in addition to advising a user device of an event, thepush notification includes a one-time password for providing temporaryaccess to secured data which is stored by a system management appliance(SMA) via a temporary alternate route to a normal route between the SMAand the user device. This alternative will permit the user device toobtain additional secured information pertaining to the pushnotification. In this way, the present disclosure provides the abilityto obtain details on an event when access via normal communicationchannels to the network containing the management server is restricted.For example, the systems and methods described herein allow a mobiledevice to avoid normal firewalls around an SMA in order to obtaininformation without creating substantial security risks for the SMA. Thesystems and methods also provide the ability to: (i) obtain details ofthe event without going through access and authorization steps, (ii)provide details on a specific event without requiring or allowing accessto the full system management software, (iii) forward details to anotheruser without giving them authorization to access the full systemmanagement software, and (iv) make detailed information only temporarilyavailable to a user device.

In embodiments, the push notification includes information so that theuser can either construct a graphical image (or other visualrepresentation) or access and derive secured data with fewer securityrestrictions or intermediate steps than would be necessary if the userattempts to access the secured data from the SMA via normalcommunication routes between the SMA and the user device. Because anyaccess to the SMA is temporary in nature, and only pertains to thedetails related to the specific event noted in the push notification,allowing access in this temporary manner is much less risky than afull-rights login to the management program.

As described herein, implementations may be a system, a method, and/or acomputer program product. The steps, methods and/or functionalitydisclosed herein can be implemented in any combination of hardwarecircuitry and software. The computer program product may include acomputer readable storage medium (or media) having computer readableprogram instructions thereon for causing a processor to carry outaspects described herein. The computer readable storage medium (ormedia) includes, for example, non-transitory media such as flash memory,permanent memory such as read-only memory (“ROM”), semi-permanent memorysuch as random access memory (“RAM”), any other suitable type of storagecomponent, or any combination thereof. Accordingly, the computerreadable storage medium, as used herein, is not to be construed as beinga transitory signal per se.

FIG. 1 is an illustrative architecture of a computing system 100 inaccordance with aspects described herein for implementing the SMA. Thecomputing system 100 is only one example of a suitable computing systemand is not intended to suggest any limitation as to the scope of use orfunctionality of aspects described herein. The computing system 100serves as a target management server for hosting an SMA, and includes acomputing device 105. The computing device 105 can be resident on anetwork infrastructure such as within a cloud environment (shown in FIG.2), or may be a separate independent computing device (e.g., a computingdevice of a third party service provider).

As described herein, the computing device 105 may perform tasks (e.g.,processes, steps, methods and/or functionality) in response to processor115 executing program instructions contained in a computer readablestorage medium, such as system memory 125. The program instructions maybe read into system memory 125 from another computer readable storagemedium, such as data storage device 120, or from another device via thecommunication interface 140 or server within or outside of a cloudenvironment. In embodiments, an operator may interact with computingdevice 105 via the one or more input devices 130 and/or the one or moreoutput devices 135 to facilitate performance of the tasks and/or realizethe results of such tasks in accordance with aspects described herein.

The computing device 105 may include a bus 110, a processor 115, astorage device 120, a system memory (hardware device) 125, one or moreinput devices 130, one or more output devices 135, and a communicationinterface 140. In embodiments, the computing device 105 can be a secureserver, e.g., management server hosting the SMA. The bus 110 permitscommunication among the components of computing device 105. For example,bus 110 may be any of several types of bus structures including a memorybus or memory controller, a peripheral bus, and a local bus using any ofa variety of bus architectures to provide one or more wired or wirelesscommunication links or paths for transferring data and/or power to,from, or between various other components of computing device 105.

The processor 115 may be one or more conventional processors ormicroprocessors that include any processing circuitry operative tointerpret and execute computer readable program instructions, such asprogram instructions for controlling the operation and performance ofone or more of the various other components of computing device 105. Inembodiments, processor 115 interprets and executes the processes, steps,functions, and/or operations described herein, which may be operativelyimplemented by the computer readable program instructions.

For example, the processor 115 may execute one or more applicationsand/or program modules that provide a user with a push notification,advising the user of an event. The push notification can include encodeddata to permit the user device to reconstruct a graphical image, orother visual representation, which indicates information pertaining tothe event. Alternately, the push notification can include a one-timepassword to permit access to secure information stored in an SMA via atemporary alternate route between the SMA and the user device. In oneexample, an event causes the push notification to be delivered to a userdevice with appropriate details to permit the construction of agraphical image or other visual representation related to an eventindicated in the push notification. In another example, the event causesthe push notification to be delivered to a user device with a one-timepassword to permit the user device to obtain more detailed securedinformation regarding the event from the SMA via a temporary alternateroute. In any case, this allows a mobile device 320 to avoid normalfirewalls around an SMA, thus to obtain information without creatingsubstantial security risks for the SMA. This also provides the abilityto: (i) obtain details of the event without going through access andauthorization steps, (ii) provide details on a specific event withoutrequiring or allowing access to the full system management software, and(iii) forward details to another user without giving them authorizationto access the full system management software.

More specifically, in embodiments, the encoded data pertaining tosecured information can be sent to a user device 320 at the same time inwhich a push notification is sent to the user device (mobile device) 320via, e.g., a push server 314. In embodiments, the push notificationincludes encoded information pertaining to secured data 322 which hasbeen stored in the computing device 105 of the target management server100 which hosts the SMA. The secured data 322 is related to the event,and reconstructing a graphical image or other visual representation inthe user device based upon the encoded data provided with the pushnotification does not require the user device to provide credentialswhich would normally be necessary to obtain the secured data 322directly from the SMA, itself.

In embodiments, the encoded data for permitting construction of agraphical image or other visual representation can be provided inencrypted form. For example, the encoded data can be JavaScript ObjectNotification (JSON) data, or some other type of encoded data such asExtensible Markup Language (.xml) data, Comma-separated values (CSV)data, simple tab-delimited text and a custom encoded data format. Theencoded data permits a receiving application in a user device todecipher/reconstruct the encoded data in a graphical manner or othervisual representation. In addition, the encoded data may be protectedwith an additional set of credentials, different than the credentialswhich would be required to access the secured data directly from theSMA. Further, the encoded data may also include detailed loginformation, or other information related to the event in the pushnotification, in addition to the information required for constructing agraphical image pertaining to the event noted in the push notification.In an illustrative example, a server is managed by a system managementsoftware program such as Lenovo XClarity Administrator (LXCA). Themanagement of the information can be done within the secure datacenternetwork environment, while the system administrator (‘user”) is withoutdirect access to the datacenter network.

In operation, a user can access the encoded data directly from the pushnotification via a web browser (of the mobile device 320). Inalternative embodiments, the push notification can trigger anapplication (either the primary mobile application for the systemsmanagement or an independent, purpose-specific application) whichdecodes and permits construction of the graphical image. In this way,the user can obtain details on the event in full rich-web format withouthaving to provide full credentials to access the primary systemmanagement software. Accordingly, by implementing the systems andmethods described herein, the computing system 100 may be configured tooperate as a target management server to host a System ManagementAppliance (SMA) (see FIG. 3) to provide a user device with a pushnotification 312.

Also, the computing device 105 can provide notifications regardingerrors which occur within the managed network. For example, when anerror occurs on the server, an alert is logged on the systems managementsoftware. The details related to the particular failure on theparticular server are formatted (including appropriate graphicals,detailed logs, etc.) and are sent to the user device as encoded data topermit construction of a graphical image pertaining to the error, asdescribed herein.

In further embodiments, such as shown in FIGS. 4 and 5, the processor115 may execute one or more applications and/or program modules thatprovide a user with a push notification, advising the user of an event,wherein the push notification includes a one-time password to permittemporary access to secured data, related to the event, via a temporaryalternate route. The secured data has been stored by a system managementappliance (SMA) in a server. By virtue of using the temporary alternateroute, it is not necessary for the user to provide credentials necessaryto obtain the secured data directly from the SMA using normalcommunication routes. This allows the mobile device 320 to avoid normalfirewalls around an SMA to obtain information without creatingsubstantial security risks for the SMA. This also provides the abilityto: (i) obtain details of the event without going through access andauthorization steps, (ii) provide details on a specific event withoutrequiring or allowing access to the full system management software,(iii) forward details to another user without giving them authorizationto access the full system management software, and (iv) make detailedinformation temporary so that secure information is not persistent onanother party server.

More specifically, in embodiments, the push notification including thenotice and the one-time password is sent to the user device (mobiledevice) 320 via, e.g., a push server 314. In embodiments, the one-timepassword permits temporary access to secured data 322, which has beenstored in the SMA program in the computing device 105. The secured data322 is related to the event and, by allowing the user device to accessthe SMA via a temporary alternate route, it is not necessary for theuser provide credentials necessary to obtain the secured data 322 usingnormal communication routes between the user device and the SMA.

In embodiments, the one-time password provided is temporary and canself-destruct if the user does not take action after a given(selectable) period of time or other predefined occurrence. Thisone-time password can be sent with the push notification in encryptedform. In addition, the one-time password may be protected with anadditional set of credentials, different than the credentials whichwould be required to access the secured data directly from the SMA usingnormal communication routes rather than the temporary alternate route.Also, the one-time password is structured in such a way so as not to bepredictable and not to allow for extrapolation for future uses. Further,in addition to the one-time password, the push notification may includegraphicals, detailed log information, or other information related tothe event in the push notification.

Alternatively, rather than being provided in the push notification,itself, the one-time password can be sent as an additional signal inconjunction with the push notification which facilitates the addition ofgraphicals, detailed log information or other information related to theevent in the push notification. In an illustrative example, a server ismanaged by a system management software program such as Lenovo XClarityAdministrator (LXCA). The management of the information can be donewithin the secure datacenter network environment, while the systemadministrator (‘user”) is without direct access to the datacenternetwork.

In operation, the one-time password can be encoded in a pushnotification which is sent to the user's device along with an eventsummary. The user can access the data associated with the one-timepassword directly from the push notification via a web browser (of themobile device 320). In alternative embodiments, the push notificationcan trigger an application (either the primary mobile application forthe systems management or an independent, purpose-specific application)which decodes and accesses the hosted data associated with the one-timepassword. In this way, the user can obtain details on the event in fullrich-web format without having to provide full credentials to access theprimary system management software. Accordingly, by implementing thesystems and methods described herein, the computing system 100 may beconfigured to operate as a target management server to host a SystemManagement Appliance (SMA) (see FIG. 3) to provide a user with a pushnotification.

Also, with regard to providing a one-time password with a pushnotification, instead of providing encoded data to permit reconstructionof a graphical image, the computing device 105 can provide such pushnotifications regarding errors which occur within the managed network.For example, when an error occurs on a server, an alert is logged on thesystems management software. The details related to the particularfailure on the particular server are formatted (including appropriategraphicals, detailed logs, etc.) and stored as secured data 322 wherethey can be accessed using the one-time password, as described herein.

The periods of time during which the one-time password or encoded datainformation included in the push notification are valid may be variabledepending on the severity, sensitivity, or source of the triggeringevent. Thus, simple information alerts may be kept for a longer periodof time (befitting their less-urgent status), while critical alerts maybe removed after a short while (since they represent a more significantsecurity exposure if the address is hacked). It is also noted that thesecured data 322 can be hosted temporarily, to expire within a presetperiod of time, if desired.

It is also noted that the push notification can include both encodeddata, such as JSON data to permit reconstructing a graphical image inthe user device, and a one-time password to permit the user device toaccess additional secured data from the SMA via a temporary alternateroute, thereby combining the advantages discussed above for respectiveembodiments. In this regard, it is noted that plural push notificationscan be provided by the SMA to the user device with the additionalinformation, such as the encoded data and the one-time password,respectively. It is further noted that, although the above descriptionpertains to a one-time password, it is within the scope of the presentdisclosure that the password could be used more than a single time, ifauthorized by the SMA.

Still referring to FIG. 1, in embodiments, processor 115 may receiveinput signals from one or more input devices 130 and/or drive outputsignals through one or more output devices 135. The input devices 130may be, for example, a keyboard or touch sensitive user interface (UI).The output devices 135 can be, for example, any display device, printer,etc.

The storage device 120 may include removable/non-removable,volatile/non-volatile computer readable storage media, such as, but notlimited to, non-transitory media such as magnetic and/or opticalrecording media and their corresponding drives. The drives and theirassociated computer readable storage media provide for storage ofcomputer readable program instructions, data structures, program modulesand other data for operation of computing device 105 in accordance withthe different aspects described herein. In embodiments, storage device120 may store operating system 145, application programs 150, andprogram data 155 that perform the processes described herein, inaddition to the secure data 322.

The system memory 125 may include a computer readable storage medium,including for example, non-transitory media such as flash memory,permanent memory such as read-only memory (“ROM”), semi-permanent memorysuch as random access memory (“RAM”), any other suitable type of storagecomponent, or any combination thereof. A computer readable storagemedium, as used herein, is not to be construed as being a transitorysignal per se. In some embodiments, an input/output system 160 (BIOS)including the basic routines that help to transfer information betweenthe various other components of computing device 105, such as duringstart-up, may be stored in the ROM. Additionally, data and/or programmodules 165, such as at least a portion of operating system 145,application programs 150, and/or program data 155, that are accessibleto and/or presently being operated on by processor 115 may be containedin the RAM.

The communication interface 140 may include any transceiver-likemechanism (e.g., a network interface, a network adapter, a modem, orcombinations thereof) that enables computing device 105 to communicatewith remote devices or systems, such as a mobile device or othercomputing devices such as, for example, a server in a networkedenvironment, e.g., cloud environment. For example, computing device 105may be connected to remote devices or systems via one or more local areanetworks (LAN) and/or one or more wide area networks (WAN) usingcommunication interface 140.

FIG. 2 shows an exemplary cloud computing environment 200 which canimplement the processes and systems described herein. Cloud computing isa computing model that enables convenient, on-demand network access to ashared pool of configurable computing resources, e.g., networks,servers, processing, storage, applications, and services, that can beprovisioned and released rapidly, dynamically, and with minimalmanagement efforts and/or interaction with the service provider. Inembodiments, one or more aspects, functions and/or processes describedherein may be performed and/or provided via cloud computing environment200 including, e.g., push notifications and transfer and temporarystorage of the secure data. Accordingly, it should be understood bythose of ordinary skill in the art that the cloud resources 205 caninclude, e.g., push servers, secure servers and the SMA.

As depicted in FIG. 2, cloud computing environment 200 includes cloudresources 205 that are made available to client devices 210 via anetwork 215, such as the Internet. Cloud resources 205 can include avariety of hardware and/or software computing resources, such asservers, databases, storage, networks, applications, and platforms. Inembodiments, as described herein, cloud resources 205 may include asoftware defined environment including a network management server thatprovide a user device with a push notification with appropriate encodeddata to permit the construction of a graphical image related to an eventindicated in the push notification, or with a one-time password topermit the user device to obtain more detailed secured informationregarding the event from the SMA via a temporary alternate route. Ineither case, the user device can obtain information related to thesecured data without requiring the user to provide credentials necessaryto obtain the secured data directly from the SMA using normalcommunication routes between the SMA and the user device.

Cloud resources 205 may be on a single network or a distributed network.Cloud resources 205 may be distributed across multiple cloud computingsystems and/or individual network enabled computing devices.

Client devices 210 may comprise any suitable type of network-enabledcomputing device, such as servers, desktop computers, laptop computers,handheld computers (e.g., smartphones, tablet computers), set top boxes,and network-enabled hard drives.

Cloud computing environment 200 may be configured such that cloudresources 205 provide computing resources to client devices 210 througha variety of service models, such as Software as a Service (SaaS),Platforms as a service (PaaS), Infrastructure as a Service (IaaS),and/or any other cloud service models. Cloud resources 205 may beconfigured, in some cases, to provide multiple service models to aclient device 210. For example, cloud resources 205 can provide bothSaaS and IaaS to a client device 210.

Cloud computing environment 200 may be configured such that cloudresources 205 provide computing resources to client devices 210 througha variety of deployment models, such as public, private, community,hybrid, and/or any other cloud deployment model. Cloud resources 205 maybe configured, in some cases, to support multiple deployment models. Forexample, cloud resources 205 can provide one set of computing resourcesthrough a public deployment model and another set of computing resourcesthrough a private deployment model.

FIG. 3 shows an illustrative structure and processes in which a systemmanagement appliance (SMA) 310 hosted in a target management server 100provides a push notification 312 to a push server 314, amongst otherfeatures. As discussed above, the target management server 100 can bethe computing system 100 such as shown in FIG. 1. In embodiments, thepush server 314 receives the push notification 312 from the targetmanagement server 100, e.g., SMA 310, and then provides the pushnotification 312 to a user (e.g., mobile device 320).

As discussed above, the push notification which advises a user device ofan event also includes encoded data, such as JavaScript ObjectNotification (JSON) data, Extensible Markup Language (.xml) data,Comma-separated values (CSV) data, simple tab-delimited text and acustom encoded data format, which permits a receiving application in auser device to decipher/reconstruct the encoded data in a graphical way.More particularly, the encoded data permits the construction of agraphical image which is related to the event which the pushnotification advises the user device of.

For example, as shown in FIG. 3, the graphical image can be a simplechassis map 330 of a server structure. The chassis map 330 isconstructed in the mobile user device 320 based on the JSON dataprovided with the push notification. As shown in FIG. 3, the JSON dataindicates appropriate information for respective slots of the chassismap 330 in the user device 320. For example, slot 1 on the lower left ofthe chassis map 330 can be colored with an appropriate color, such asred, to indicate a critical state for the server being identified in thepush notification 312. Slot 2 on the lower right side of the chassis map330 can be colored with an appropriate color, such as yellow, toindicate a warning state. Slots 3 and 4 can be colored with anappropriate color, such as green, to indicate that they are in a normalcondition. In this way, the chassis map 330 shown on the user mobiledevice 320 can provide a simple graphical representation, based on theJSON data, regarding the status of slots of a server being identified inthe push notification 312 so that the user will immediately be aware ofwhich slots of the server are in need of attention. It is noted thatalthough colors have been described regarding providing notifications ofthe status of different slots of the server, this is merely anillustrative example, and other forms of notification could be provided,such as numerical indicators, alphabetical indicators, star indicators,etc. Also, although a chassis map of a server has been used as anexample, the encoded data could permit reconstruction of any type ofhardware configuration or hardware component configuration, including,for example, a server, a switch, a storage component, a power supply, acooling device, such as a fan, a motherboard, etc. As an example, amotherboard could be provided with visual indicators (overlaid on agraphic of the motherboard) to show where a memory DIMM has an error.

It is possible to encrypt the data in the push notification beyondHTTPS. For example, the XClarity Administrator, which is an SMA, alreadyrequires the mobile device to have Certificate Authority from a uniqueXClarity Administrator instance. This certificate could further be usedto secure potentially sensitive data.

Also, given the size allotment for push notifications (e.g., 2 KB), itis possible to send multiple unique data constructs in a single messagethat could represent different graphicals. For example, a single messagecould include the necessary data for multiple different chassis maps ora chassis map and a completely separate object. Further, it is possibleto group other message data (e.g., multiple notifications) into the dataconstruct. For example, this provides the ability to visually show anerror as well as to provide additional contextual error details withinthe visualized construct. Thus, a message could be included in theencrypting data provided with the push notification to advise the userverbally of the nature of the problem which is visually identified inthe graphical reconstruction.

It is also possible to provide a dynamic construct. For example, in aneffort to be as efficient as possible, the system could recognize thesize limits of a push notification and include additional details (e.g.,support contact for critical systems, MTM, VPD etc.) with the pushnotification or, alternatively, remove unnecessary information (e.g.,not sending data on normal systems) as necessary to maximize efficiencyand to prevent multiple messages.

Prioritization schemes can also be provided in accordance with aspectsof the present disclosure. For example, if multiple systems enter acritical state (e.g., red state, as noted above), a graphical constructof those systems could be prioritized, with warning systems (e.g.,yellow state, as noted above) sent later if the size limit of the pushnotification has been reached. In other words, it is possible to sendmultiple push notifications with encoded data if the encoded datanecessary to provide a graphical reconstruction and/or provideadditional information regarding the graphical reconstruction exceedsthe size limit (e.g., 2 KB) permitted in a single push notification.

As shown in FIG. 4, a structure is provided to permit access to securedata in an SMA 310 in a target management server 100 on an alternateroute 426 (other than a normal route between the SMA 310 and a userdevice 320). In this arrangement, a push notification 412 includesnotification of an event and a one-time password/credentials which willpermit a user device, such as the mobile device 320, to have temporaryaccess to the SMA 310 via the temporary alternate route 426. The pushnotification 412, including the one-time password/credentials, isprovided to the user device 320 through a push server 314. The temporaryalternate route 426 permits access to a normally blocked port of thetarget management server 100 which hosts the SMA 310. Alternatively, thetemporary alternate route 426 can permit access through a hole in afirewall to give temporary access to the SMA 310.

Regarding any of the embodiments, the credentials for the one timepassword are preferably in the form of encrypted data in acryptographical key used to derive a set of single-use credentials. Thecredentials which are derived can have a strict time limit as well asthe one-time use limitation. Thus, if the credentials related to theone-time password are not used within a preset period of time, they willbecome invalid. It is to be noted that the credentials regarding theone-time password can trigger software which will limit the capabilitiesof the user device 320 when connected via the alternate route 426, forexample, when the user device 320 is logged into the target managementserver 100 via the one-time use password, the user device 320 may beallowed to view event details, but may be prohibited from takingpotentially-dangerous actions, such as power actions. In other words,the user device 320 may be prevented from turning off devices associatedwith the server, or other device, which the push notification pertainsto.

In any of the embodiments, it is possible to provide simultaneouscreation of an associated account in the SMA 310. In other words, when amanagement software instance sends a push notification to a mobiledevice, it can also create an account associated with the credentialsset that would be created by the user mobile device 320 in response toinformation provided in the push notification 312. This associatedaccount could be a “throwaway account,” which would allow access to theaccount for a short period of time when it is open, followed by deletionof the account (or requiring a different password for the next access tothe account). This temporary account can be subject to the limitationsnoted above with regard to encryption and time limits for use of theaccount.

In embodiments, the information included in the push notification,including the one-time password, may make use of any knowncryptographical method. Particular methods for such encryption can bechosen based on desired levels of security. For example, two-factorauthentication can be used. In this arrangement, information sent in theclear as part of the push notification is combined with informationunique to an instance of the application or device (such as a serialnumber or previously defined private key, or a user-entered passcode,fingerprint or facial recognition) to ensure that the notification canonly be acted upon by an intended recipient. Alternatively, One-Time Pad(OTP) can be utilized for encryption. In this case, the applicationinstance and the target instance have previously exchangedcryptographical keys, for example, during initial set up or whenconnected via a secure path. In this case, the push notification 412includes a flag that indicates that the next available OTP key is to beused to generate the set of credentials from the encrypted data.

Time-based authentication can also be used for cryptographical purposes.For example, various cryptographical schemes incorporating keys thatchange with time or are generated/seeded according to real-time orelapsed time from a given instance can be utilized. Another alternativeis to use simple cipher text, wherein an application may use aninstance-unique cipher to decode a credential set. On the other hand, inappropriate instances, a credential set may be sent without anyencryption (e.g., “in-the-clear”), relying instead on the temporarynature of the one-time password and/or the limited capabilities of thelog-on for security.

Among other advantages, the arrangement/configuration shown in FIG. 4provides the ability for a user device 322 to connect back via thetemporary alternate route 426 to the SMA 310 for additional details if apreferred normal connection path is not available. In effect, thearrangement/configuration shown in FIG. 4 provides an ad hoc secureserver or ad hoc VPN connection which permits a mobile user device 322to gather important information regarding an event indicated in a pushnotification 412 in a secure manner without the need for the credentialsnormally required for accessing the SMA 310.

As shown in FIG. 5, the temporary alternate route 426 between the usermobile device 320 and the SMA 310 can be provided through the pushserver 314, rather than via an independent path (such as shown in FIG.4). This provides the advantage that the push server 314 already has, bydefinition, a valid connection from the user device to the targetmanagement server 100 (and the SMA 310), which initiated the pushnotification 412 in the first place. Otherwise, thearrangement/configuration shown in FIG. 5 operates in the same mannerdiscussed above with regard to FIG. 4 by providing a push notification412 which includes a one-time password with credentials to permittemporary access 422 by the user mobile device 320 to a normally blockedport or a hole in a firewall in the target management server 100 so thatthe user mobile device 320 can obtain additional secured data 322 fromthe target management server 100 pertaining to an event indicated in thepush notification 412. It is noted that the “credentials” in this caseare assumed to be a user ID/password pair. However, other credentialingschemes are possible, including the use of existing user IDs and only atemporary password, or any other combination of new and knowncredentials.

FIG. 6 shows a flowchart of steps which can be implemented, for example,using the computing system 100 shown in FIG. 1, for permitting a userdevice to use secured data in a SMA to reconstruct a graphical imagewhich indicates information pertaining to an alert provided in a pushnotification in accordance with aspects of the present disclosure. Thisprocess does not require the user to provide credentials normallyrequired to access the secured data directly from the SMA. It alsopermits the user device to reconstruct a graphical image, such as achassis map, from encoded data provided with the push notification whennormal communication routes from the user device to a target managementserver hosting the SMA are not available.

In step 600, the SMA sends a push notification with a notification of anevent and encoded data, such as JSON data, to a push server. Thenotification and the encoded data are related to secured data stored inthe SMA. In step 610, the push server sends the push notification withthe encoded data to the mobile device. In step 620, the mobile devicereconstructs a graphical image, such as a chassis map of a server, usingthe encoded data provided with the push notification. As discussedherein, in addition to permitting reconstruction of a graphical image,the encoded data provided with the push notification can also includeadditional information pertaining to the event noted in the notificationand the graphical image which is constructed based on the encoded data.As also discussed herein, a significant advantage of this arrangement isthat it permits a very quick visual image for the user to reviewregarding the event identified by the push notification, without theneed for the user to contact the SMA following receipt of the pushnotification.

FIG. 7 shows a flowchart which can be implemented, for example, usingthe computing system 100 shown in FIG. 1, for providing access tosecured data in an SMA on a temporary alternate route to a normal routebetween the SMA and a user device in accordance with aspects of thepresent disclosure. Again, in this process, there is no requirement thatthe user to provide credentials normally necessary to access the secureddata directly from the SMA using normal communication routes between theuser device and the SMA.

In step 700, the SMA pushes a push notification with a one-time passwordto a push server. In step 710, the push server sends the pushnotification with the one-time password to the user device. In step 720,the user device accesses the hosted secured data in the SMA via atemporary alternate route via a normally blocked port or through a holein a firewall protecting the SMA using the one-time password providedwith the push notification. In step 730, the user device fetches thehosted data from the SMA to store as fetched hosted data in the userdevice. As discussed herein, this operation permits obtaining secureddata from an SMA without the need for extensive steps and credentialingassociated with a user device accessing the SMA via normal communicationroutes such as a VPN. It also permits obtaining such secured data whensuch normal communication routes are not available.

FIG. 8 shows a flowchart which can be implemented, for example, usingthe computing system 100 shown in FIG. 1, for providing access tosecured data in an SMA on a temporary alternate route to a normal routebetween the SMA and a user device in accordance with aspects of thepresent disclosure, wherein the temporary alternate route passes througha push server. Again, in this process, there is no requirement that theuser provide credentials normally necessary to access the secured datadirectly from the SMA using normal communication routes between the userdevice and the SMA.

In step 800, the SMA pushes a push notification with a one-time passwordto a push server. In step 810, the push server sends the pushnotification with the one-time password to the user device. In step 820,the user device accesses the hosted secured data in the SMA using theone-time password provided with the push notification. In this instance,the user device is permitted to access the SMA via a temporary alternateroute which passes through the push server which provided the pushnotification in the first place. Again, the temporary alternate route isconnected to a normally blocked port or a hole in the firewall of theSMA to permit temporary access to the secured data related to the pushnotification. In step 830, the user device fetches the hosted data fromthe SMA, via a temporary alternate route through the push server, tostore as fetched hosted data in the user device. As discussed herein,this operation permits obtaining secured data from an SMA without theneed for extensive steps and credentialing associated with a user deviceaccessing the SMA via normal communication routes such as a VPN. It alsopermits obtaining such secured data when such normal communicationroutes are not available. In addition, this arrangement takes advantageof the already established connection between the push server and theSMA.

In embodiments, the access information included in the push notificationmay also include mechanisms to take corrective action, where this actionis more limited in scope, impact, and authorized duration than would beallowed with a full log-in to the system management program. Thisincludes, for example, allowing a user to take minor corrective actionsfor the individual user which will not adversely affect either the SMAor other users of the SMA.

The available actions described above may also be time-limited, andthose time limits may be independent of the information aspects. Putanother way, the user may still be able to see the details stored as thehosted secured data in the SMA after the opportunity to directly takeaction has expired. It is also possible to impose additionalrestrictions on access by the mobile device to the hosted secured datain the SMA. For example, access to this hosted secured data can belimited to mobile devices in certain geographical areas, or to certaindays and times.

Although the above discussion focuses on a system management scenario,the same mechanisms described herein could be used in a wide variety ofother scenarios where, as an alternative to full access to ahigh-security environment, a limited set of information can be sent to aless-secure environment for a limited time with the access informationtransmitted to the user as described. For example, in research programsor defense systems where a large number of users are granted varyingdegrees of access to centralized information based upon the level oftheir security clearance, users with lower levels of security clearancecan temporarily be granted access to information which is necessary forthem to conduct their research or take emergency action, even thoughthese users would not normally be granted such access to this type ofinformation.

The descriptions of the various embodiments have been presented forpurposes of illustration, but are not intended to be exhaustive orlimited to the embodiments disclosed. Many modifications and variationswill be apparent to those of ordinary skill in the art without departingfrom the scope and spirit of the described embodiments. The terminologyused herein was chosen to best explain the principles of theembodiments, the practical application or technical improvement overtechnologies found in the marketplace, or to enable others of ordinaryskill in the art to understand the embodiments disclosed herein.

What is claimed:
 1. A method comprising: providing an alert from asystem management appliance (SMA) to a user device, the pushnotification including encoded data to permit the user device toreconstruct information pertaining to the alert.
 2. The method of claim1, wherein the information comprises at least one of a graphical image,a graphical overlay, a schematic illustration, a table of conditions andan error list.
 3. The method of claim 1, wherein the encoded data is atleast one of JavaScript Object Notification (JSON) data, ExtensibleMarkup Language (.xml) data, Comma-separated values (CSV) data, simpletab-delimited text and a custom encoded data format.
 4. The method ofclaim 3, wherein the encoded data permits the user device to reconstructa view of hardware which includes at least one of a server, a switch, astorage component, a power supply, a cooling device and a chassismodule, and wherein the encoded data indicates problems with thehardware.
 5. The method of claim 3, wherein the encoded data includesmultiple unique data constructs representing different information to bereconstructed by the user device.
 6. The method of claim 3, wherein theencoded data comprises JSON data and includes contextual information toprovide contextual details regarding a graphical image.
 7. A methodcomprising: providing a push notification from a system managementappliance (SMA) to a user device, the push notification including aone-time password for access to the SMA on a temporary alternate routeto a normal route between the SMA and the user device to permit the userdevice to obtain additional information pertaining to the pushnotification.
 8. The method of claim 7, wherein the normal routeincludes a virtual private network (VPN).
 9. The method of claim 8,wherein the push notification is provided to the user device via a pushserver, and the temporary alternative route includes the push server.10. The method of claim 7, wherein the alternate path includes atemporarily unblocked port of the SMA.
 11. The method of claim 7,wherein the SMA creates an account associated with the user device atthe time the push notification is provided to the user device.
 12. Asystem comprising: a system management appliance (SMA) configured toprovide a push notification regarding an alert to a user device, whereinthe push notification includes encoded data to permit the user device toreconstruct a information pertaining to the alert without communicatingwith the SMA after receiving the push notification.
 13. The system ofclaim 12, wherein the information comprises at least one of a graphicalimage, a graphical overlay, a schematic illustration, a table ofconditions and an error list.
 14. The system of claim 12, wherein theencoded data is at least one of a JavaScript Object Notification (JSON)data, Extensible Markup Language (.xml) data, Comma-separated values(CSV) data, simple tab-delimited text and a custom encoded data format.15. The system of claim 14, wherein the encoded data permits the userdevice to reconstruct a view of hardware which includes at least one ofa server, a switch, a storage component, a power supply, a coolingdevice and a chassis module.
 16. The system of claim 15, wherein theencoded data comprises JSON data and indicates problems with one or moreslots in a server chassis.
 17. The system of claim 16, wherein the JSONdata includes multiple unique data constructs representing differentgraphicals to be reconstructed by the user device.
 18. The system ofclaim 14, wherein the encoded data includes information to providecontextual details regarding the information pertaining to the alert.19. The system of claim 14, wherein the encoded data requires acertificate authority from the SMA to permit the user device to use theencoded data.
 20. The system of claim 14, wherein the SMA removesunnecessary information regarding normal systems from the pushnotification before sending the push notification to the user device.